Last week, the Federal Bureau of Investigation (FBI) detailed the detection of an information-gathering operation affecting multiple U.S. government agencies, in a campaign attributed to threat actors sponsored by the Russian government. At first the agents believed that the incident would have affected a dozen public offices, although things could be worse than expected.
According to William Evanina, director of the National Center for Security and Counterintelligence, an increase in the number of organizations affected is expected: “I think the incident will spread as we continue to investigate, we still cannot give exact figures.” The list of agencies affected so far includes the U.S. Department of Commerce, Treasury and Justice.
Although President Trump attributed this incident to Chinese hacking groups, the cybersecurity community claims this campaign was the work of hackers in the Russian government.
Cybersecurity experts highlight the powerful scope of this malicious campaign, further mentioning that organizations and contractors detected the intrusion after months. Although it is still ignored what kind of information was compromised, this incident may be highly harmful to national security.
Unofficially, researchers estimate that up to 18,000 organizations worldwide could have been affected by this campaign, in an attack that could spread similarly to hacking against the SolarWinds supply chain.
At the beginning of this week, SolarWinds released an update on the attack, mentioning that evidence was detected that it began since September 2019, when threat actors managed to inject malicious code into their systems. This malicious code would have allowed hackers to install the backdoor on all compromised SolarWinds implementations. This malware was discovered almost a year after being injected into the affected facilities.
The federal agency did not add any further details, as the investigation is still ongoing. Affected organizations are expected to begin taking some steps to mitigate the incident, including bulk reset of login credentials, disconnection of some systems, among other precautions.